[c-nsp] ios l2tp ipsec vpn help

Dan Letkeman danletkeman at gmail.com
Sun May 30 09:59:18 EDT 2010


Sort of...I have tried this a few times, but it doesn't seem to
initiate anything.

Here is an idea of what I want to do:

via a route-map clients on lan1 accessing http site
x-----------------2821------------l2tp over ipsec vpn------------VPN
SERVICE PROVIDER

In that config it shows dialup clients which I don't have, and so I
don't understand how the 2821 can initiate the l2tp vpn?

This is the configuration I have tried, and after enabling all of the
debugs I can find, if have found that it does nothing.

vpdn enable

vpdn-group 1
 request-dialin
  protocol l2tp
 initiate-to ip 200.200.200.1
!
crypto isakmp policy 1
authentication pre-share
group 2
lifetime 3600
crypto isakmp key cisco address 200.200.200.1
!
crypto ipsec transform-set testtrans esp-des
!
crypto map l2tpmap 10 ipsec-isakmp
set peer 200.200.200.1
set transform-set testtrans
match address 101
!
interface Ethernet0
ip address 10.10.10.1 255.255.255.0
ip nat inside
!
interface vlan 800
ip address 65.65.65.1 255.255.255.224 (external interface)
ip nat outside
crypto map l2tpmap
!


access-list 101 permit udp host 20.1.1.1 eq 1701 host 20.1.1.2 eq 1701
!


Thanks,
Dan.

On Sun, May 30, 2010 at 1:04 AM, Sercan Aktas <saktas at thrupoint.net> wrote:
> Sorry, here is the link...
>
> http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_examp
> le09186a0080093f6f.shtml#diag
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Sercan Aktas
> Sent: Sunday, May 30, 2010 9:50 AM
> To: 'Dan Letkeman
> Cc: 'cisco-nsp'
> Subject: Re: [c-nsp] ios l2tp ipsec vpn help
>
> Hi Dan,
>
> Have a look this simple example on CCO for configuring L2TP over IPSec.
>
> I guess your router should be configured as LAC for your clients and then
> initiate a session to the LNS located at your VPN SP. Then the L2TP session
> between your router (LAC) and your provider router (LNS) should be encrypted
> using IPSec.
>
> I hope this is what you are looking for.
>
> Sercan
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Dan Letkeman
> Sent: Sunday, May 30, 2010 7:38 AM
> To: cisco-nsp
> Subject: [c-nsp] ios l2tp ipsec vpn help
>
> I'm struggling with getting a connection to our vpn service provider
> from our 2821 router.  I would like to terminate the vpn on the router
> so I can route certain traffic through the vpn.  Example info I got
> from our vpn provider is:
>
> address: vpn.provider.com
> username: user
> password: pass
> l2tp shared secret: asdfasdfasdfasfd
>
> They support l2tp over ipsec, pptp and sstp.
>
> >From the research I have done so far, I have found that ios does not
> support outgoing pptp connections, and I cannot for the life of me
> find a working l2tp over ipsec configuration that makes sense.  I do
> have an hwic-4esw card in the router that I am trying to make the vpn
> connection from, so I'm wondering if that is where i'm having the
> trouble....I'm also running NAT on the interfaces on this router,
> which could also be part of my problem.
>
> I'm a bit confused with the LAC, LNS, client-initiated, client peer,
> lan to lan, etc, configurations on the Cisco site.  I'm assuming that
> i should not be setting up my router as an LAC, but instead as a
> client?
>
> Does anyone know if this even works?  Or is the vpn support on an IOS
> router only for router to router configurations?
>
> Thanks,
> Dan.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
>
> Note:The information contained in this message may be privileged and
> confidential and protected from disclosure . If the reader of this message
> is not the
> intended recipient, or an employee or agent responsible for delivering this
> message to the intended recipient, you are hereby notified that any
> dissemination, distribution or copying of this communication is strictly
> prohibited. If you have received this communication in error, please notify
> us
> immediately by replying to the message and deleting it from your computer.
> Thankyou. ThruPoint Ltd.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
>
> Note:The information contained in this message may be privileged and confidential and protected from disclosure . If the reader of this message is not the
> intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any
> dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us
> immediately by replying to the message and deleting it from your computer. Thankyou. ThruPoint Ltd.
>



More information about the cisco-nsp mailing list